How to create a cyber immune system?

Is it possible to make a hack-proof system?

What is cyber immunity and how to build an operating system based on the concept.

A new approach to protecting information systems is currently gaining popularity in the cybersecurity world: cyber immunity. Systems based on this approach need no antivirus since they’re so well-protected that any hacking attempt would be too hard and prohibitively expensive to successfully carry out.

Sounds too good to be true? Believe it or not, it’s already becoming a reality. Let’s explain in simple terms how exactly cyber immunity works in practice.

We’ll start with the concept of a trusted computing base (TCB), which every information system must have. This is code that developers have no choice but to trust since it’s used to implement security-critical components of the system. Since this code is so vital, to safeguard a system we must first ensure the security of its TCB. How? We suggest using the three following principles:

  1. Minimizing the TCB
  2. Isolating components from each other
  3. Maintaining strict control over all interactions of those components

Let’s look at these three principles in more detail.

1. Minimize the TCB

The TCB should contain as few lines of code as possible. After all, the less code – the smaller the attack surface and the fewer vulnerabilities in it. For this reason, a cyber immune operating system needs a microkernel architecture.

The most popular modern operating systems such as Windows and Linux were originally built with functionality and ease-of-development in mind, meaning they use a monolithic kernel, which is a major disadvantage. That’s because such kernels contain all sorts of stuff – from interrupt control code to drivers. The result is millions of lines of code, with their number only growing from version to version.

A microkernel, on the other hand, is limited to the mechanisms critical for operation, amounting to no more than a few tens of thousands of lines of code. Everything else (drivers, file systems, etc.) runs as services in user mode.

According to a relevant study:

  • 96% of critical vulnerabilities in traditional operating systems would not be critical in a microkernel OS.
  • Up to 40% of critical vulnerabilities would not be possible at all.
  • 57% of all vulnerabilities would be low severity.

Thus, microkernel implementation renders entire classes of cyberattacks obsolete by default.

Minimizing the TCB

2. Isolate components from each other

A cyber immune system is heterogeneous. It’s divided into specific security domains according to the code’s level of trust, with all components isolated from each other by means of these domains. If any system component is hacked, the intruder won’t be able to access neighboring ones and expand the attack through them. This makes it possible to use third-party components (for example, open-source code) without compromising the security of the system.

Isolation significantly reduces both the cyber-risks involved and the labor costs required to create a secure system due to use of third-party code.

Isolating components from each other

3. Control all interactions

All interactions among system components are carefully controlled by a special module: the security monitor. The security monitor checks every interaction between components for compliance with the security policies. If an interaction is valid – it’s allowed; if not – it’s blocked. The potential attacker’s capabilities are significantly reduced as a result.

The security monitor concept is based on the widely-used FLASK architecture, which entails the separation of Policy Decision Points and Policy Enforcement Points.

Using a security monitor eliminates the risk of entire classes of cyberattacks by ruling out any interactions that are not explicitly stated in the security policies.

Maintaining strict control over all interactions of components

Putting all three principles together, we get the following scheme:

Complete scheme

All entities are isolated, and they communicate with each other only through the microkernel – with such communication always checked for compliance with the security policies.

It is these three principles that form the basis of our operating system – KasperskyOS. KasperskyOS is built upon its own microkernel (not Linux) with around 100,000 lines of code, and employs the MILS and FLASK architectural approaches to provide isolation and control of interactions. This makes KasperskyOS the perfect tool for creating cyber immune products.

Cyber Immunity is no longer a sci-fi concept. The concept already underpins various products, such as cyber immune IoT gateways and cyber immune thin clients. And the list is only set to grow. Thus, the rapidly approaching future will become overall more secure. In the words of ARC Advisory Group: “Cyber Immunity can be the new foundation for how digital transformation can be implemented more securely.”

Tips